#VU49739 Improper input validation in Oracle Communications Session Report Manager


Published: 2021-01-21

Vulnerability identifier: #VU49739

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-5421

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Oracle Communications Session Report Manager
Server applications / Other server solutions

Vendor: Oracle

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle Communications Session Report Manager: 8.2.2

External links
http://www.oracle.com/security-alerts/cpujan2021.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM MobileFirst Platform Foundation
Improper input validation in Identity Manager
Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Multiple vulnerabilities in IBM Cognos Controller
Multiple vulnerabilities in IBM Tivoli Netcool Configuration Manager
Multiple vulnerabilities in Autodesk InfraWorks
Multiple vulnerabilities in IBM Security Risk Manager on CP4S
Improper input validation in IBM Security Guardium
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in Oracle StorageTek ACSLS